[10293] in bugtraq
Re: stored credentials was: Netscape 4.5 vulnerability
daemon@ATHENA.MIT.EDU (Bernd Eckenfels)
Wed Apr 21 15:06:00 1999
Date: Tue, 20 Apr 1999 21:59:24 +0200
Reply-To: Bernd Eckenfels <lists@LINA.INKA.DE>
From: Bernd Eckenfels <lists@LINA.INKA.DE>
X-To: r.fulton@AUCKLAND.AC.NZ
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <SIMEON.9904191026.N3303@bluebottle.itss>; from Russell Fulton on
Mon, Apr 19, 1999 at 10:01:26AM +1200
On Mon, Apr 19, 1999 at 10:01:26AM +1200, Russell Fulton wrote:
> To my knowledge you are correct. The bottom line is this: Client
> programs that store credentials so the user does not have to enter them
> every time the program is used are insecure. End of story.
Well actually you can use one key/passphrase to secure all the stored
credentials. This has the advantage that you dont need to rember all
credential (which is impossible for secret keys anyway). But it has the
disadvantage, that the security is
a) breakable by trojans/backdooring
b) as secure as the (weakest) manual entered passwort
Netscape supports Passworts to unlock the credential-store. On a physical
secure system this provides a bit of security. On physical insecure systems
even smatcards can fail, since the trojan can use the plugged smartcard
without the user to notice it.
Greetings
Bernd
